Wednesday, January 30, 2013

In September 1971, this blogger was on a lonely research trip to Waco, TX. He stayed in an old-style motel and the room had neither a telephone nor a TV set. To fill the lonely evening hours, this blogger purchased the October 1971 issue of Esquire magazine. The lead article in the 'zine was "Secrets of the Little Blue Box." It was an early encounter with hackers before they were cyber outlaws. Today, this blog observes that first act of hacking a system. If this is (fair & balanced) cyberpunking, so be it.

Ralph Barclay was walking through the engineering library at Washington State University, just minding his own business, when it called out to him. He couldn’t say why, it just did.

It was a booklet, about 18 by 23 centimeters and maybe a centimeter thick, on display in the library’s new periodicals section. Its pale blue cover proclaimed it to be the November 1960 issue of something called The Bell System Technical Journal. It had been out for less than a week.

Barclay looked at the table of contents printed on its cover. Most of the articles could put even the hardest of hard-core geeks to sleep at 20 paces: “Magnetic Latching Relays Using Glass Sealed Contacts,” “Molecular Structure in Crystal Aggregates of Linear Polyethylene,” or the ever popular “Ionic Radii, Spin-Orbit Coupling, and the Geometrical Stability of Inorganic Complexes.”

But one title caught his eye: “Signaling Systems for Control of Telephone Switching” [PDF]. He flipped to the article and started skimming. Minutes passed. His original purpose for coming to the library shelved for the moment, he sat down and began to read in earnest.

Barclay was just 18. Athletic and of medium build, with brown hair and blue eyes, Barclay had started his first year at Washington State’s Pullman campus, about 50 miles [80 kilometers] south of Spokane, just a couple of months earlier. “I was living in the dorm,” he remembers, “and a lot of people in the dorm are looking for ways to make cheap phone calls home to their girlfriends and parents and suchlike.” One of the guys in the dorm had “somehow,” he says, acquired his own personal pay telephone. And although students weren’t allowed to have telephones installed in their rooms, for some reason the dorm rooms still had telephone lines in them.

Barclay’s dorm had quite a few engineers in it—and engineers, Barclay allows, are a problem. The engineers soon determined that somebody had left the door unlocked to the building’s telephone closet, the little room where all the telephone wires come from. In the dark of night an operation was mounted. Certain wires were cross-connected. Et voilà: A pay telephone line from somewhere on campus ended up connected to the personal pay phone in Barclay’s dorm. Barclay and the other kids in the dorm could now make telephone calls by depositing money in the pay phone, just like usual. The difference was this: The owner of the pay phone—apparently not a business major—was a nice guy and returned the caller’s money after each call.

Maybe it was this pay phone hack that caused Bells to ring in Barclay’s brain when he spotted the article in the Bell System Technical Journal. The article laid bare the technical inner workings of AT&T’s long-distance telephone network with clarity, completeness, and detail. It was all there: how the long-distance switching machines sang to each other with single-frequency (SF) and multifrequency (MF) tones, how 2600 hertz was used to indicate whether a telephone had answered, what the frequencies were of the tones that made up the MF digits, how overseas calls were made—it even included simplified schematic diagrams for the electrical circuits necessary to generate the tones used to control the network. Nothing was hidden.

By the time Barclay finished reading it, the vulnerability in AT&T’s network had crystallized in his mind: “I thought, this is a better way than using a pay phone...this is a way to get around all that other stuff and do it directly.”

“It,” of course, was making free calls.

The ability to absorb 64 pages of dry, technical mumbo jumbo and spot the vulnerability is a rare one. The engineers from Bell Labs who designed the system and wrote the article didn’t see it. Thousands of engineers in the future would read that article and not see it. But 18-year-old Ralph Barclay did. The funny thing about it is, once the hole is explained to you, it’s obvious. But until it’s explained to you, most people would never think of it. Certain people have minds that are tuned in a particular way to see things like that. Ralph Barclay was one of those people.

To understand Barclay’s insight we have to think back to the things that made up AT&T’s automated long-distance network—things like the spectacularly named #4A crossbar switching system that was the brains of the long-distance telephone network, and how the machines talked to each other by speaking in tones. Because that’s what the Bell System Technical Journal described and that’s where Ralph Barclay spotted the flaw. Here’s what he came up with:

Say you’re in Seattle and, as always, you want to call your friend Bill in Denver. With Barclay’s hack, your first step is to pick up the phone and dial directory assistance in any city—let’s say New York just for fun: 212-555-1212. Unlike today, calls to directory assistance were free back then.

Seattle and New York are both big cities and have direct trunk lines between them. On a given long-distance trunk line between Seattle and New York, the switching machine in Seattle sends a 2600-Hz tone—7th octave E—to New York to indicate that the line is idle. New York sends the same tone back to Seattle to indicate that the line is not in use on its end either. Remember how in a flight of fancy an AT&T manager described the switching machines as “singing” to one another? This is the boring part of that song: You can think of it as the machines monotonously whistling this single note back and forth. It’s almost like they’re keeping each other company, reassuring each other that they’re both still there.

As you dial the last digit of the number for New York directory assistance, the fancy switching machines and their signaling systems spring to life to get your call through. Seattle finds an idle trunk to New York and stops whistling 2600 Hz on it. New York hears the trunk go silent, indicating that Seattle wants to make a call. New York sends back a “wink” signal—really just a moment of silence, no 2600-Hz tone, for about a quarter of a second. This wink tells Seattle that New York is ready and waiting for Seattle to tell it a phone number to call. Using either the SF or MF signaling language, Seattle sends New York the digits 555‑1212. In SF‑speak, this is a series of beeps of 2600 Hz. In MF‑speak, it consists of nine quick little pairs of tones that sound like brief musical notes: KP, 555 1212, and ST. The special signal called KP (“keypulse”) at the beginning tells New York to get ready, and the final note, ST (“start”), tells New York that it now has all the digits and it can start dialing.

Now that New York knows the number you want to call, it makes the local connection and the directory assistance operator’s telephone starts to ring. Up until now everything that has happened has been perfectly normal, just like Ma Bell intended. But now you, using Barclay’s hack, insert yourself into the process. Before the operator can answer, you—naughty you—hold a speaker up to your phone’s mouthpiece and play your own 2600-Hz tone down the line for a second.

Seattle isn’t paying any attention to this, but the switching machine in New York sure is. New York hears your 2600-Hz tone loud and clear and thinks that the Seattle switching machine sent it. And since this tone indicates the trunk line is idle, New York figures that Seattle is done using that trunk line, probably because you hung up. New York disconnects the call to the directory assistance operator—maybe before she’s even answered.
But now you stop sending your tone. When you stop sending 2600 Hz, the long-distance switching equipment in New York City now thinks that Seattle wants to make another call. Just like before, New York sends a wink back to Seattle to say that it’s ready for a new call. Due to the nature of the circuitry involved, the wink has a bright, metallic, ringing quality to it. It sounds like this: “Kerchink!”

That noise tells you that you have just fooled New York into thinking that a new long-distance call is coming in. Once again, the switching machine in New York is waiting for Seattle to tell it digits to dial. But Seattle isn’t going to tell it anything, because Seattle is blissfully unaware of everything that has just transpired. The only thing Seattle knows is that you haven’t hung up—you’re still on the line, after all—and Seattle believes you can only make one call every time you pick up the phone. As far as Seattle is concerned, you’re still talking to New York directory assistance.

You, on the other hand, know better: You possess guilty knowledge. Using a simple little electronic circuit, you can generate the same pairs of tones that Ma Bell’s telephone switches use to serenade each other. Once again holding up a speaker to your phone, you play the tones needed to send New York the digits KP + 303 722 7209 + ST—that is, the number of your friend Bill in Denver. Now of course, area code 303 isn’t in New York City, but that’s okay: The telephone switch in New York is a brainy #4A and knows how to route calls from one place to another—after all, Bell Labs worked hard to give it the brains to be able to do that. New York happily finds a trunk line to Denver and puts your call through, sending out tones on your behalf to instruct Denver on what number to dial. Moments later, Bill’s phone starts to ring.

Congratulations: You’ve just hijacked a phone call to directory assistance in New York and rerouted it to Bill in Denver. But that’s only half the trick. The other half is this: Your phone call to Denver is free. Why? Because Seattle is responsible for the billing of your phone call. As far as Seattle is concerned, you’re still connected to directory assistance in New York—and directory assistance is a free call.

Barclay really had three insights when he read that article in the Bell System Technical Journal. The first was that sending a 2600-Hz tone down the line resets the remote switch but doesn’t affect the local switch. The second was that you could then reroute a phone call from the remote switch to wherever you want. And the third was that the local switch is in charge of billing, so it continues to bill you for whatever call it thinks you originally made. With those three insights, he now owned Ma Bell’s network.

A few weeks after reading the Bell System Technical Journal article, Barclay made the 3-hour drive west to his hometown of Soap Lake, WA, population 1200. Home may be where the heart is, but for Barclay, home was also where his workbench, soldering iron, and electronic components were. “I was an electronic tinkerer for years and years and years,” he says. A curious one, too: His older sister remembers Barclay plugging a bobby pin into an electrical outlet when he was 4. His father, a truck driver in rural Washington, used to bring him broken TVs to fiddle with, and his bedroom was littered with electrical equipment, telephones, and radios. Barclay landed his first job—repairing broken radios—when he was in the fifth grade.

Barclay’s first box took a weekend to build. It was a simple affair, housed in an unpainted metal enclosure about 10 cm on a side and perhaps 5 cm deep. Inside was a 9-volt battery and a single transistor oscillator circuit. On the outside the box sported a surplus rotary telephone dial and a red push button. The red button would allow Barclay to disconnect a call in progress—to “seize a trunk,” in both telephone company and “phone phreak” parlance—by producing a 2600-Hz tone for as long as he held it down. When spun, the rotary dial would make short blips of 2600 Hz. If Barclay dialed the digit 6, for example, it made six short beeps. In other words, it would allow him to send digits using the older SF language.

“I was surprised!” Barclay recalls. “It worked fine the first time!”

As it happens, it also worked best the first time. Barclay quickly ran into a problem: By 1960, fewer and fewer trunk lines used SF signaling. In its push for progress and dialing speed, the Bell System was well on its way to converting most long-distance trunks to multifrequency signaling. And those trunks didn’t respond to Barclay’s single-frequency beeps. The red button still worked—he could disconnect a call in progress and hear the “kerchink” come back from the remote end—but dialing was often a problem. “It worked sometimes, not consistently,” he says—maybe one in four calls.

“That’s when I discovered that I needed multifrequency,” he says—that is, he needed to generate pairs of tones for each digit as well as for the special “keypulse” and “start” signals. Barclay started work on his multifrequency box over Christmas break. It was more complicated than the first box, what with more transistor oscillators and associated wiring and all that, so it took a bit longer to build.

Barclay added a rotary dial for making blips of 2600 Hz, but that was really just for old times’ sake: The real way you’d dial with it, the modern way, was with push buttons. Touch-tone phones weren’t a commercial reality yet, so Barclay had to come up with his own telephone keypad. He ended up using keys from an old mechanical Burroughs adding machine. Each key was fastened to a push-button switch mounted underneath it. There were 12 keys in all: Ten for the digits 0 through 9, one for the KP signal that needed to be sent before the digits, and one for the ST signal that needed to be sent after the digits.

He had it finished by Easter and it worked like a charm. He and his device became popular among a small circle of friends in his dorm, where he made calls home for them. But mostly, he says, he used it to play with the telephone network, “to see where we could call.” As Barclay recalls it, “there were very, very few calls I made that were actual phone calls”—that is, calls in which he called somebody he knew and wanted to talk to.

His new device was housed in a metal box, 30 by 17 by 7 cm and happened to be painted a lovely shade of blue. Barclay did not know it at the time, but the color of his device’s enclosure would eventually become synonymous with the device itself: The blue box had just been born. Ω

[Phil Lapsley , an electrical engineer who received a B.S. and M.S. in electrical engineering and computer science from the University of California at Berkeley and an MBA from the MIT Sloan School of Management, founded two tech companies near San Francisco before becoming a consultant for McKinsey & Co., accomplishments he cites to “look like an upstanding member of society.”]

Get the Google Reader at no cost from Google. Click on this link to go on a tour of the Google Reader. If you read a lot of blogs, load Reader with your regular sites, then check them all on one page. The Reader's share function lets you publicize your favorite posts.

Followers

Search This Blog

About Me

Born on a dark and stormy night in early 1941. I've lived a life of trial and error for more than 3 score and 10 years. It's been like hitting myself in the head with a hammer; it will feel so good when I can stop.